On 29 October 2021, the Cyberspace Administration of China (CAC) released the draft Measures for Security Assessment of Cross-border Transfer of Data (the draft Measures) and is accepting public comments until 28 November 2021.
The draft Measures contain detailed rules associated with the general requirements of the security assessment as provided under the PRC Cybersecurity Law (effective from 1 June 2017), PRC Data Security Law (effective from 1 September 2021), and PRC Personal Data Protection Law (effective from 1 November 2021) and are expected to address the concerns of data processors in terms of ambiguity in this regard under the aforementioned existing laws.
Circumstances subject to security assessment by CAC
As a general rule, not all cross-border data transfer activities are subject to security assessment by CAC. For instance, in terms of personal data, the PRC Personal Data Protection Law generally provides that only critical information infrastructure (CII) operators and personal data processors processing personal data that reaches the quantity threshold (see below) must pass the security assessment organised by CAC before the cross-border transfer of data.
The draft Measures further specify that prior to any cross-border transfer of data, CII operators and personal data processors will be subject to a security assessment conducted by CAC in any of the following circumstances:
- Transfer of personal data and important data collected and generated by CII operators
- Transfer of important data1
- Transfer of personal data by a personal data processor that has processed personal data of more than one million persons
- Transfer of the personal data of 100,000 persons or more or transfer of the sensitive personal data of 10,000 persons or more
- Other circumstances provided by CAC